CVE-2024-56587
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/12/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
leds: class: Protect brightness_show() with led_cdev->led_access mutex<br />
<br />
There is NULL pointer issue observed if from Process A where hid device<br />
being added which results in adding a led_cdev addition and later a<br />
another call to access of led_cdev attribute from Process B can result<br />
in NULL pointer issue.<br />
<br />
Use mutex led_cdev->led_access to protect access to led->cdev and its<br />
attribute inside brightness_show() and max_brightness_show() and also<br />
update the comment for mutex that it should be used to protect the led<br />
class device fields.<br />
<br />
Process A Process B<br />
<br />
kthread+0x114<br />
worker_thread+0x244<br />
process_scheduled_works+0x248<br />
uhid_device_add_worker+0x24<br />
hid_add_device+0x120<br />
device_add+0x268<br />
bus_probe_device+0x94<br />
device_initial_probe+0x14<br />
__device_attach+0xfc<br />
bus_for_each_drv+0x10c<br />
__device_attach_driver+0x14c<br />
driver_probe_device+0x3c<br />
__driver_probe_device+0xa0<br />
really_probe+0x190<br />
hid_device_probe+0x130<br />
ps_probe+0x990<br />
ps_led_register+0x94<br />
devm_led_classdev_register_ext+0x58<br />
led_classdev_register_ext+0x1f8<br />
device_create_with_groups+0x48<br />
device_create_groups_vargs+0xc8<br />
device_add+0x244<br />
kobject_uevent+0x14<br />
kobject_uevent_env[jt]+0x224<br />
mutex_unlock[jt]+0xc4<br />
__mutex_unlock_slowpath+0xd4<br />
wake_up_q+0x70<br />
try_to_wake_up[jt]+0x48c<br />
preempt_schedule_common+0x28<br />
__schedule+0x628<br />
__switch_to+0x174<br />
el0t_64_sync+0x1a8/0x1ac<br />
el0t_64_sync_handler+0x68/0xbc<br />
el0_svc+0x38/0x68<br />
do_el0_svc+0x1c/0x28<br />
el0_svc_common+0x80/0xe0<br />
invoke_syscall+0x58/0x114<br />
__arm64_sys_read+0x1c/0x2c<br />
ksys_read+0x78/0xe8<br />
vfs_read+0x1e0/0x2c8<br />
kernfs_fop_read_iter+0x68/0x1b4<br />
seq_read_iter+0x158/0x4ec<br />
kernfs_seq_show+0x44/0x54<br />
sysfs_kf_seq_show+0xb4/0x130<br />
dev_attr_show+0x38/0x74<br />
brightness_show+0x20/0x4c<br />
dualshock4_led_get_brightness+0xc/0x74<br />
<br />
[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060<br />
[ 3313.874301][ T4013] Mem abort info:<br />
[ 3313.874303][ T4013] ESR = 0x0000000096000006<br />
[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits<br />
[ 3313.874307][ T4013] SET = 0, FnV = 0<br />
[ 3313.874309][ T4013] EA = 0, S1PTW = 0<br />
[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault<br />
[ 3313.874313][ T4013] Data abort info:<br />
[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000<br />
[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br />
[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br />
[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000<br />
..<br />
<br />
[ 3313.874332][ T4013] Dumping ftrace buffer:<br />
[ 3313.874334][ T4013] (ftrace buffer empty)<br />
..<br />
..<br />
[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader<br />
[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74<br />
[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60<br />
[ 3313.874656][ T4013] sp : ffffffc0b910bbd0<br />
..<br />
..<br />
[ 3313.874685][ T4013] Call trace:<br />
[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74<br />
[ 3313.874690][ T4013] brightness_show+0x20/0x4c<br />
[ 3313.874692][ T4013] dev_attr_show+0x38/0x74<br />
[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130<br />
[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54<br />
[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec<br />
[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4<br />
[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8<br />
[ 3313.874711][ T4013] ksys_read+0x78/0xe8<br />
[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c<br />
[ 3313.874718][ T4013] invoke_syscall+0x58/0x114<br />
[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0<br />
[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28<br />
[ 3313.874727][ T4013] el0_svc+0x38/0x68<br />
[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc<br />
[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.287 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.174 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.120 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.66 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.5 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4ca7cd938725a4050dcd62ae9472e931d603118d
- https://git.kernel.org/stable/c/50d9f68e4adf86901cbab1bd5b91f710aa9141b9
- https://git.kernel.org/stable/c/84b42d5b5fcd767c9b7f30b0b32065ed949fe804
- https://git.kernel.org/stable/c/b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1
- https://git.kernel.org/stable/c/bb4a6236a430cfc3713f470f3a969f39d6d4ca25
- https://git.kernel.org/stable/c/ddcfc5708da9972ac23a9121b3d819b0a53d6f21
- https://git.kernel.org/stable/c/f6d6fb563e4be245a17bc4261a4b294e8bf8a31e
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html